Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
We are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.Read the full edition
Andrew Fawcett - Partner - Digital & Data
Krishna Jhala - Senior Associate - Digital & Data
The Kingdom of Bahrain’s Law No. 30 of 2018 promulgating the Personal Data Protection Law (‘PDPL’), which came into effect on 1, August 2019, gives data subjects resident in the Kingdom the right to object to decisions made based only on automatic processing (Article 22 of the PDPL).
The banking and finance sector is likely to be impacted by this new statutory right.
An automated process for scoring loans can calculate and score qualitative and quantitative risk factors and weigh each according to the type of loan in order to automatically generate a loan decision.
Automating loan decisions are said to be highly beneficial to the banking and finance sector as a whole for the following reasons:
While described as a ‘right to object’ to decisions based on automated processing, the right granted under Article 22 to individuals (potential borrowers in this scenario) is actually a right to request processing in a manner that is not solely automated.
Article22 (1) states, in part (in its English translation):
“If a decision is based solely on automated processing of personal data intended to assess the data subject regarding his performance at work, financial standing, credit-worthiness, reliability or conduct, then the data subject shall have the right to request processing in a manner that is not solely automated.”
Re-consideration of the automated decision by an human is obligatory in these circumstances and must be done free of charge for the data subject.
The Board of the Personal Data Protection Authority (‘Authority’) is yet to issue a regulation specifying procedures relating to the submission and processing of the request under Article 22. Although, the Minister of Justice, Islamic Affairs and Awqaf has recently been tasked under Decree No. (78) of 2019 with the duties and powers prescribed under the PDPL for the Authority to date, no regulations have been issued regarding Article 22. What remains unclear is, whether in the absence of these processes, data subjects can exercise their rights under Article 22.
Further, the right to object under Article 22 expressly does not apply “in favour of the Data Subject, where the decision is taken in the course of entering into or performance of a contract with the data subject, provided that suitable measures to safeguard his legitimate interests have been taken, such as hearing the data subject’s view.”
It is worth noting that any person who incurs damage arising from processing of their personal data by a data controller (whether by automated means or otherwise) has the right under Article 57 of the PDPL to compel the data controller to pay compensation with a view to repairing the damage.
The right to object only applies to decisions that are based solely on automated processing of personal data. Where a loan decision is not fully automated, the right does not apply.
As noted above, the Authority has not issued any guidance on the application of Article 22(2) of the PDPL. However, this PDPL provision appears to be based on Article (22)(2)(a) and 22(3) of the European
Union’s General Data Protection Regulation (EU) 2016/679 (‘GDPR’).
These equivalent GDPR provisions likely provide some guidance for interpretation of the PDPL. Under the GDPR, a data subject does not have a right to object to a decision based solely on automated means if:
Guidelines for the GDPR produced by the advisory body known as the Article 29 Working Party (or WP29), gives examples of ‘suitable measures’ that enable the data subject to obtain human intervention, express their point of view and contest the decision.
Consequently, if for example, an online bank in Bahrain is offering loans and a decision on whether or not a loan should be offered based on an algorithm is taken, it appears under the PDPL the bank should:
Banks and other financers in the Kingdom of Bahrain do not necessarily use automated loan decisions for every type of loan offering considering that numerous factors make up their business strategies and lending decisions. However, if they do make a decision based solely on an algorithm or other automated process they need to be aware that:
For further information please contact, Andrew Fawcett (firstname.lastname@example.org) or Krishna Jhala (email@example.com)
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.